OMB Spells Out Agencies' Cybersecurity TimelinesFederal Agencies Ordered to Identify 'Critical Software' That Must Then Be Protected
The Office of Management and Budget is ordering federal agencies to begin identifying "critical software" that needs protection as part of the effort to fulfill President Joe Biden's cybersecurity executive order issued in May.
A Wednesday memo from acting OMB Director Shalanda Young instructs federal agencies to begin identifying critical software currently used within their networks or scheduled to be purchased. Executive branch departments have 60 days to complete the task.
After they identify the critical software, agencies will have one year to implement the security measures identified by the National Institute of Standards and Technology to protect this software, according to the memo.
"Much of that software is commercially developed through an often opaque process that may lack sufficient controls to prevent the creation and exploitation of significant application security vulnerabilities," Young writes. "As a result, there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely in the manner intended."
President Biden signed the cybersecurity executive order on May 12 following a series of cyberattacks against U.S. government agencies and businesses, including the supply chain attack that targeted SolarWinds and its customers. The order calls for sweeping changes in how the federal government protects its IT networks and infrastructures, including changes in how software is purchased and deployed (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
The executive order looks to address security issues in the software supply chain by requiring the federal government to create baseline security standards for software, including requiring developers to maintain greater visibility into their applications and make security data available. Agencies must also develop new requirements for ensuring that vendors address security as software is developed.
As a result of the order, NIST published a definition of "critical software" (see: NIST Releases 'Critical Software' Definition for US Agencies). This definition includes software or software dependencies that contain at least one of the following attributes:
- Is designed to run with elevated privilege or manage privileges;
- Has direct or privileged access to networking or computing resources;
- Is designed to control access to data or operational technology;
- Performs a function critical to trust;
- Operates outside of normal trust boundaries with privileged access.
The U.S. Cybersecurity and Infrastructure Security Agency will maintain a list of what applications meet the definition of critical software.
Besides requiring agencies to identify the critical software they use, the OMB memo directs agencies to adopt the cybersecurity measures published by NIST in July as well as any securities updates or guidance from NIST (see: NIST Publishes 'Critical Software' Security Guidance).
"There is a clear effort by the Biden administration to attempt to get government agencies on the same page in terms of their best practices and cybersecurity operations - something that is challenging to do given agencies have had a large degree of autonomy when it comes to how they manage their IT and cybersecurity - which is a good first step in building the comprehensive approach to cybersecurity that we need to combat modern threats," says Lisa Plaggemier, the interim executive director of the nonprofit National Cyber Security Alliance.
Plaggemier says it's not clear if all agencies will be able to complete the required security tasks within the time frame spelled out.
"Implementation could prove to be challenging given just how vast and fragmented each agency's cybersecurity operations are," Plaggemier says. "However, the phased-in approach outlined in the OMB memo should help ease these growing pains a bit and help to establish what the priorities should be to start, and then what the subsequent priorities should be. Time will tell in terms of whether agencies will be able to meet the implementation timelines that have been laid out."
An Aug. 3 congressional report found that despite over two years of pressure from lawmakers and executive branch leadership, many of the largest federal agencies, including the State Department and the Department of Health and Human Services, failed to implement even the most basic cybersecurity protections (see: Report: 7 Federal Agencies Still Lack Basic Cybersecurity).